third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp - Issue 2290193003: Include the Origin header for XHR and Fetch API even if the request is same-origin

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Issue 2290193003: Include the Origin header for XHR and Fetch API even if the request is same-origin

Patch Set: a Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« no previous file with comments | « third_party/WebKit/Source/core/loader/DocumentThreadableLoader.h ('k') | third_party/WebKit/Source/core/loader/ThreadableLoader.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

diff --git a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

index 593c806a974ebfc1e1b984e4e34c984f7b91679b..94987bc883057db2bd02e0edbadfa04e64a65f4a 100644

--- a/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

+++ b/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

@@ -249,6 +249,10 @@ void DocumentThreadableLoader::start(const ResourceRequest& request)

// handled a request.

m_fallbackRequestForServiceWorker.setSkipServiceWorker(WebURLRequest::SkipServiceWorker::Controlling);

}

+ if (m_options.sameOriginHeaderPolicy == IncludeSameOriginHeader)

+ newRequest.setHTTPOrigin(getSecurityOrigin());

loadRequest(newRequest, m_resourceLoaderOptions);

return;

}

@@ -256,9 +260,12 @@ void DocumentThreadableLoader::start(const ResourceRequest& request)

dispatchInitialRequest(newRequest);

}

-void DocumentThreadableLoader::dispatchInitialRequest(const ResourceRequest& request)

+void DocumentThreadableLoader::dispatchInitialRequest(ResourceRequest& request)

{

if (!request.isExternalRequest() && (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)) {

+ if (m_options.sameOriginHeaderPolicy == IncludeSameOriginHeader)

+ request.setHTTPOrigin(getSecurityOrigin());

loadRequest(request, m_resourceLoaderOptions);

return;

}

@@ -313,7 +320,7 @@ void DocumentThreadableLoader::makeCrossOriginAccessRequest(const ResourceReques

} else {

m_crossOriginNonSimpleRequest = true;

// Do not set the Origin header for preflight requests.

- updateRequestForAccessControl(crossOriginRequest, 0, effectiveAllowCredentials());

+ updateRequestForAccessControl(crossOriginRequest, nullptr, effectiveAllowCredentials());

// We update the credentials mode according to effectiveAllowCredentials() here for backward compatibility. But this is not correct.

// FIXME: We should set it in the caller of DocumentThreadableLoader.

crossOriginRequest.setFetchCredentialsMode(effectiveAllowCredentials() == AllowStoredCredentials ? WebURLRequest::FetchCredentialsModeInclude : WebURLRequest::FetchCredentialsModeOmit);